A high-performance, browser-based static analysis tool for Solidity smart contracts — no setup, no backend, instant results.
0xSENTINEL lets you paste any Solidity smart contract and receive an instant security report — no wallets, no API keys, no Python setup required.
The analysis engine scans your code for common vulnerability patterns and returns a 0–100 Security Score along with detailed remediation advice for every detected issue. Comments and docstrings are automatically skipped to reduce false positives.
| # | Vulnerability | Severity | What It Catches |
|---|---|---|---|
| 1 | Reentrancy | 🔴 High | .call{value:...}( — unsafe external calls with ETH transfer |
| 2 | Phishing via tx.origin | 🔴 High | tx.origin used for authorization checks |
| 3 | Unchecked Low-Level Call | 🟡 Medium | .call(, .delegatecall(, .staticcall( with unchecked return value |
| 4 | Weak Randomness | 🟡 Medium | block.timestamp, block.difficulty, now used as entropy source |
| 5 | Floating Pragma | 🔵 Low | pragma solidity ^x.x.x — unlocked compiler version |
Security Score formula:
score = max(0, 100 − (High×20 + Medium×10 + Low×5))
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| Language | TypeScript 5 |
| Runtime | React 19 |
| Styling | Tailwind CSS v4 + CSS Custom Variables |
| Animations | Framer Motion |
| Icons | Lucide React |
| Solidity Parsing | @solidity-parser/parser, solc (installed — AST path in roadmap) |
| Syntax Highlighting | prismjs (installed — integration in roadmap) |
- Node.js 18+
- npm or yarn
# Clone the repository
git clone https://github.com/yourusername/web3-scanner.git
cd web3-scanner
# Install dependencies
npm install
# Start the dev server
npm run devOpen http://localhost:3000 in your browser.
src/
├── app/
│ ├── page.tsx # Main scanner UI (two-column layout)
│ ├── layout.tsx # Root layout wrapper
│ ├── globals.css # Cyberpunk theme + CSS variables
│ ├── actions.ts # Next.js Server Action — calls analyzer
│ ├── vulnerabilities/
│ │ └── page.tsx # Full vulnerability database listing
│ └── docs/
│ └── page.tsx # How-it-works & best practices
├── components/
│ ├── Layout.tsx # Sticky header, nav, footer shell
│ ├── CodeEditor.tsx # Code input with line numbers
│ └── Results.tsx # Score card + vulnerability cards
└── lib/
└── analyzer.ts # Core regex-based detection engine
/— Paste your contract, hit ANALYZE, view the report side by side. Pre-loaded with aVulnerableBankdemo contract./vulnerabilities— Browse all detected vulnerability types with full descriptions and remediation guides./docs— Learn how the scanner works, supported checks, and Solidity security best practices.
User pastes Solidity code
↓
[CodeEditor.tsx] → React state
↓ (button click)
[page.tsx] → calls analyze() [Next.js Server Action]
↓
[actions.ts] → calls analyzeContract(code)
↓
[analyzer.ts] → regex scan line-by-line → AnalysisReport
↓
[Results.tsx] → renders score card + vulnerability cards
The core engine in analyzer.ts parses the contract line by line using regex pattern matching, skipping comment lines to reduce noise. It exports an AnalysisReport containing all detected vulnerabilities, a timestamp, the detected contract name, and the analysis mode ('Regex' currently; 'Solc' is reserved for the upcoming AST path).
| Gap | Detail |
|---|---|
| Regex-only engine | AST-based analysis via @solidity-parser/parser is installed but not yet wired up |
| Compiler not invoked | solc package is installed but never called |
| False positives | Regex can't understand context — a checked .call( will still be flagged |
| Single file only | No import resolution or multi-file project support |
| No syntax highlighting | prismjs is installed but not yet integrated into the editor |
| No file upload | Paste-only; no drag-and-drop .sol file support |
| No AI suggestions | "Fix it for me" feature is on the roadmap but not built |
| No export / share | No way to download or share a scan report |
| No scan history | No persistent history; reports are lost on page refresh |
| No interactive docs | The /docs page has text descriptions only — no live code demos |
The UI uses a cyberpunk / terminal aesthetic:
- Deep black background (
#0a0a0a) with an animated CSS grid overlay - Neon green (
#00ff9d) as the primary accent color - Glassmorphism panels with
backdrop-filter: blur - Framer Motion slide-in animations on all result cards
- Color-coded severity: 🔴 Red (High) / 🟡 Yellow (Medium) / 🔵 Blue (Low)
- Next.js is kept at the latest patched version (
^16.1.1) to mitigate CVE-2025-66478 (middleware authentication bypass). - No user data is transmitted externally. All analysis runs server-side as a Next.js Server Action with zero external API calls.
- AST-based analysis using
@solidity-parser/parserfor higher accuracy & fewer false positives - Solidity syntax highlighting in the code editor (
prismjsalready installed) - Drag-and-drop
.solfile upload - Export report as PDF / JSON
- Scan history stored in
localStorage - More vulnerability checks: integer overflow, access control issues, selfdestruct misuse, delegatecall to untrusted contracts
- Live / debounced auto-scan as you type
- AI-powered "Fix it for me" suggestions via LLM API
- Backend integration with Slither / Mythril
Contributions are welcome! Fork the repository, create a feature branch, and open a Pull Request.
This project is licensed under the MIT License.